Requirements of a Data Protection Impact Assessment (DPIA)
Data protection legislation does not specify a particular process to be followed when undertaking a DPIA. However, it does set out minimum required features:
a description of the proposed processing and the purposes – in relation to anonymous registration, this should include:
what the personal data is
who will have access
how it will be stored
who it will be disclosed to
an assessment of the necessity and proportionality of the processing – in most cases for an ERO or RO this will be processing for the performance of a public task
an assessment of the risks to the rights of the individuals affected
the measures envisaged to address the risks and demonstrate compliance with data protection rules
for example, the measures you put in place to keep the identity of anonymous electors secure
A single DPIA may be undertaken where a set of similar processing operations present similar high risks.
The ICO has provided guidance on DPIAs on their website which includes examples of good practice.
You should:
keep any DPIAs you have in place under review to determine if your processing operations require any further DPIA to be undertaken
consider how you can ensure data protection is integral to all of your processing
ensure that all your training – whether for canvassers, polling station staff, or your electoral services team – reflect data protection requirements. This will help you to embed the data protection principles in your work and demonstrate compliance
ensure you discuss any data protection training with your council’s Data Protection Officer/Information Officer